- Email: [email protected]
Nonabelian sets with distinct k-sums
DISCRETE MATHEMATICS ELSEVIER
Discrete Mathematics 146 (1995) 169-177
Nonabelian sets with distinct k-sums A . M . O d l y z k o a'*, W . D . S m i t h b a A T&T Bell Laboratories, Murray Hill, NJ 07974, USA b NEC. 4 Independence Way, Princeton, NJ 08540. USA
Received 15 February 1993; revised 1! March 1994
Abstract A modified Bose-Chowla construction of sets with distinct sums of k-element subsets is presented. In infinitely many cases it yields sets with a certain multiplicative symmetry. These sets are then used to construct large sets S in certain nonabelian groups with the property that all k-letter words with letters from S are distinct.
1. Introduction Sets with distinct k-sums are (hopefully large) sets S such that all sums of k elements selected from S are distinct. (For short, we will call such sets Sk-Sets.) In the past, interest has generally been focused on such sets inside of Zm (that is, the sum is evaluated m o d u l o m). M o s t of the applications still work if S and the + operation live inside any abelian group. In some cases, larger sets S m a y be found inside such groups than exist in the cyclic g r o u p of the same order. Sk-sets have m a n y uses in combinatorics [3, 5, 7, 11]. We first show that for each k >/2, an infinite n u m b e r of values m exist so that a set S with distinct k-sums exists inside Zm, where [SI k > m, and such that these sets S enjoy a multiplicative s y m m e t r y m o d u l o m. (These sets are a slight variant of a well-known construction. W h a t is new is that our modification gives sets with multiplicative symmetries.) Second, we extend the Sk-Set notion to nonabelian groups G. We prove that for each value of k = 2, 3 ..... an infinite n u m b e r of groups G exist, such that there is a set S inside G with IGI x/k = O(ISIk) and such that all k-letter words whose letters are in S are distinct in G. These sets arose in connection with the second author's o n g o i n g work on maximal n u m b e r of edges in graphs of small girth.
* Corresponding author. E.mail: [email protected]. Elsevier Science B.V. SSDI 0 0 1 2 - 3 6 5 X ( 9 4 ) 0 0 1 6 2 - 6
170
A.M. Odlyzko, W.D. Smith~Discrete Mathematics 146 (1995) 169-177
Definition 1. Perfect difference sets are sets S, S c Zm, where Z,. is the additive abelian group of integers modulo m, such that every nonzero integer modulo m has a unique representation as a difference a - b mod m, a ~ S, b e S. In 1938, James Singer [10, 15, 16] constructed perfect difference sets for ISI = q, q any prime power. So far, Singer's construction is the only construction (up to obvious isomorphisms) that has ever been found for perfect difference sets. It is not known whether perfect difference sets exist that are not of Singer's type. Marshall Hall found that Singer's sets, as well as all known generalized difference sets (that is, in which each nonzero element of Zm is represented in 2 [a constant] number of ways as a difference of two elements in S) always possess isomorphs exhibiting multiplieative symmetries. That is, multiplying S by some integer t (modulo m) leaves it invariant. Indeed, Hall observes [10] that for every known generalized difference set, any prime t such that gcd(m, t) = 1 and tl(ISI - 2) gives rise to a multiplicative symmetry. For example, with q = 2, m = 7, the set S = { 1, 2, 4} is a perfect difference set featuring the multiplicative symmetry S=2S. With q = 3, m = 13, the set S = {0, 1, 3, 9} is a perfect difference set featuring the multiplicative symmetry S = 3S. This phenomenon was partially explained by Hall and Ryser's multiplier theorem [10, Theorem 11.4.1, p. 160 and Theorem 11.15.2, p. 166]. Perfect difference sets may be generalized in the following two ways. First, we may consider replacing Zm by an arbitrary abelian group. (As motivation, we mention that, as was observed in [3], there is an S2-set of size 7 inside G = Z 3 x Zs, IGI = 24. The least m so that an S2-set of size 7 exists inside Z,. is 48 I-8].) Secondly, we note that the sums of two elements in S are distinct if and only if the differences of elements in S are distinct, since a + b = c + d if and only ifa - d = c - b, which suggests the generalization (the following definition) of letting there be more than two elements in the sum.
Sk-sets are sets S c G, where G is any abelian finite group, such that the sum of any k elements selected (with replacement) from S is not equal to the sum of any other k elements of S, Definition 2.
Thus S2-sets in G = Zm, if m = ISI 2 - ISI + 1, are precisely the perfect difference sets. Applications of Sk-sets may be found in [3, 5, 7, 11]. How large can an Sk-Set be, compared to the size of the containing group G? Obviously
IGI/>
ISI(ISI + 1).--(ISi + k k~
1)
,
(1.1)
since the right-hand side is the number of ways to choose (a multiset of) k elements from S, with replacement. Thus when i GI is large and k is fixed, we have
ISI~<(k!IGI) '/k.
(1.2)
A.M. Odlyzko, W.D. Smith/Discrete Mathematics 146 (1995) 169-177
171
An upper bound with better asymptotic behavior is i
Lk/2J
[ k/2 ]
IG[ >t 1-I,=o (ISI-['k2-] + )'l-Ij=o (ISI + j )
Lk/2J .rk/2q!
(1.3)
This arises as follows. Choose Lk/2J elements with replacement from S, and let their sum be A. From the remaining ~ ISJ - Lk/2J elements, choose [k/2-] elements, and let their sum be B. Then the differences , 4 - B are distinct, and their number is bounded below by the quantity on the right-hand side of (1.3). When [GI is large and k is fixed, this leads to
ISl~(Lk/2J !'Vk/2-]!'l GI) Ilk.
(1.4)
When k = 2, Singer's construction, known results on prime gaps, and this upper bound are sufficient to determine the asymptotics of the minimal order v (n) of an abelian group G containing an S2-set of cardinality n: v(n) ~ n 2.
(1.5)
This observation settles an open problem mentioned in [3, p. 1343]. Bose and Chowla [2] constructed Sk-Sets of cardinality q + 1, where k = 2, 3, 4 .... and q is any prime power, inside Z,,, where m = ( q k + l - 1 ) / ( q - - l ) . These specialize to Singer's sets when k = 2. They also constructed Sk-Sets of cardinality q, where k = 2, 3, 4 .... and q is any prime power, inside Zm, where m = qk _ 1. Observe that in the limit when k ~> 3 is fixed and IGI is large, Bose and Chowla's SR-sets are only a constant factor ( ~ k/2e, if k is large, where e ,~ 2.71828 is the ban of the natural logarithm) smaller than the asymptotic upper bound (1.4). When k ~> 3, however, Bose and Chowla's sets are not necessarily exactly optimal. • Example: Bose and Chowla supply a 6-element Sa-set inside Z156, but there is a 8-element S3-set in Z156: S -~- {1,5,25, 125} w {2, 10,50,94}. • Example: Bose and Chowla supply a 5-element S3-set inside Z~24, but there is a 6-element S3-set in Z~24: S = {1,5,25} ~ {2, 10,50}. Also note that both these examples have a multiplicative symmetry S = 5S. In the present paper, we will observe that in an infinite number of cases some isomorph of Bose and Chowla's second type of set possesses a multiplicative symmetry.
Theorem 1. For every integer k >t 2 and every prime p so that kl(p - 1), there exists an Sk-Set S of cardinality p inside Zm, where m = pk _ 1, such that S = pS. Next, we will extend the Sk-Set notion to nonabelian groups G.
Definition 3. A nonabelian Sk-set is a set S c G, where G is a (nonabelian) finite group, such that all k-letter words, whose letters are selected (with replacement) from S, are distinct in G.
172
A.M. Odlyzko, W.D. Smith~Discrete Mathematics 146 (1995) 169-177
Notice that any Sk-set, including a nonabelian one, is also an Sj-set for every j = 1, 2 ..... k. (Proof: Consider appending a (k - j)-letter constant suffix to the end of the j-letter words). We prove the following result.
Theorem 2. For each value of k = 2, 3 ..... and any prime p with kl(p - 1), a nonabelian group G of order IGI = ( p k _ 1)k exists which contains a nonabelian Sk-set S of cardinality (p - 1)/k. Analogous to (1.1), one easily sees that any nonabelian Sk-set S inside a group G must obey
ISI ~< IGI '/k,
(1.6)
so the construction of Theorem 2 comes within a constant factor (in the asymptotic regime where k is fixed and [GI is large) of this upper bound. When k is large, this constant factor is approximately k. We can do better (see Theorem 3) if k = 2 and if we do not require that words a 2 be distinct (or equivalently, if we remove the words with replacement from Definition 3).
Theorem 3. Let q be a prime power. Then there exists a set S of cardinality q + 2 inside the dihedral group D2m of order 2m, where m = (q3 _ l)/(q - 1), such that the products xy with x, y ~ S, x ~ y, are distinct. (In particular, xy ~ yx for x ~ y.) Proof. Let D2,, be generated by r and f where r m =f2 = ( r f ) 2 = 1. Let S consist of the q + 1 elements of D2m of form rzf where z is in Singer's perfect difference set inside Zm and 1. [] Remark. One may also construct a set S of cardinality 1 + Flffqi + 1) inside a group of order 2l-I~(q 3 - 1)/(q~ - 1) where the q~ are prime powers, such that all the words xy, x ~ y, are distinct.
2. Sk-sets with multiplicative symmetries In this section we prove Theorem 1. We modify the B o s e - C h o w l a construction [2, 9-1. Let g be a primitive element of G F ( p k) (i.e. an element of multiplicative order pk _ 1). The discrete logarithm o f y ~ GF(pk), y ~: 0, is an integer l, taken as an element ofZm, m = pk _ 1, such that y = g~. We write I = loggy. We will often use the bijection between Zm and G F ( p k ) \ {0} given by the discrete logarithm. As in the B o s e - C h o w l a construction, choose x e G F (pk) SO that x is of degree k over GF(p), and is thus not in any proper subfield of GF(pk). F o r a fixed b EZra, we let S={logg(x+j)+b:
O~
(2.1)
A.M. Odlyzko, W.D. Smith / Discrete Mathematics 146 (1995) 169-177
173
The standard Bose-Chowla construction has b = 0. The present sets remain Sk-Sets since the addition of a constant to all elements does not affect the Sk-Set property. We now show that if we choose x and b properly, then S will have the multiplicative symmetry p S = S. This symmetry property will hold if for everyj e GF(p), there is an h e GF(p) such that p(logg(x + j) + b) = logg(x + h) + b
(2.2)
holds in Z,,. Exponentiating, we find this is equivalent to the equation 9bP(x + j)P = 9b(x + h)
(2.3)
in GF(pk), which (by the 'freshman's dream' identity (A + B)p = A p + BPmod p) in turn is equivalent to x p = 9 - b ( p - l~x + g - b ~ p - l) h _ j .
(2.4)
If there are fixed O, x and b such that a s j varies over GF(p), the h defined by Eq. (2.4) remains in GF(p), then we must have = g - h t p - 11 ~GF(p).
(2.5)
Moreover, we then must have x p = ~ x + oth - j .
(2.6)
If Eq. (2.6) holds for even a single pair (h,j) with ~ e G F ( p ) , then for every j 6GF(p), there will be an h EGF(p) such that Eq. (2.6) holds, and the set S will satisfy p S = S. Suppose that k l ( p - 1). We will show that a suitable choice o f x and • exists so that Eq. (2.6) holds with h = (j + 1)/~ for all j. We choose = g ~ - l~/k
(2.7)
We first show that ~ satisfies Eq. (2.5). To prove this, it suffices to show that p - 1 divides (pk _ 1)/k. This is equivalent to showing that k divides pk
1
p-1
= p k - 1 + p k - 2 + ... + 1"
However, modulo p - 1 the sum on the right-hand side above is k, and since k divides p - 1, we are done. We now come to the heart of the proof. Consider the equation zp - a z -
1 =0.
(2.8)
When we factor this over GF(p), we claim that it has one linear factor and (p - l ) / k irreducible factors, each of which is of degree k. If z is in GF(p), then z p = z by Fermat's little theorem, so (2.8) shows that z = - 1 / ( ~ - 1). Further, (2.8) has no multiple roots by the derivative test, so we have established the claimed result about linear factors. Suppose now that z is a root of (2.8) but z is not in GF(p). The
A.M. Odlyzko, W.D. Smith / Discrete Mathematics 146 (1995) 169-177
174
conjugates of z are z p, z p2, zP3,.... We find that z p2=(o~z+l)
p=az p+l=a2z+a+l.
(2.9)
An easy induction establishes the more general relation z pr = a'z + - - .
(2.10)
Since ~ is a primitive kth root of unity, we find that z p" = z for/a = k, but for no smaller positive #. Hence z is of degree k over GF(p), and our c l a i m is now proved. We have shown that for k l ( p - 1), if we select a according to (2.7), then there will be an x satisfying (2.8) such that the set S will have the multiplicative symmetry p S = S. This completes the proof of Theorem 1. [] We now mention some further consequences of the above proof. (1) The mapping x ~ p x of our set S to itself consists of one fixed point and ( p - 1 ) / k orbits of length k. To see this, note that for x and ~t, ~t # 0, fixed, cth - j = x p - ~ x = 1
has exactly one solution (h,j) with h = j , namely h = j = 1/(~ - 1), corresponding to the fixed point. There cannot be orbits of length r, 2 ~< r < k, since that would imply h --- ~'h so that (we are allowed to divide out the factor of ~r _ 1, since it is nonzero, since ~ is a primitive kth root of unity) h = 1/(~ - 1), but that was the fixed point. (2) Our construction requires that k l ( p - 1). Conversely, one can show that if Eq. (2.6) is satisfied for any h and j, and some • e GF(p), with x of degree k over GF(p), then k l ( p - 1). (3) The value of the o f f s e t b may be deduced, from Eqs. (2.5) and (2.7), and the fact that c~ is a primitive kth root of unity, to be given by b = (pk _ 1)(k -- 1)
(2.11)
(p- 1)k (4) The symmetric Sk-SetS in Zm which arise in this construction will remain symmetric S,-sets if any multiple o f t a l k is added to each element, or equivalently to b. In practice, to construct the set S, we would select ct to b e a n y element of G F ( p ) \ {0} of multiplicative order k, and let f(X) be one of the irreducible factors of degree k of XV-otX - 1 over GF(p). The field G F ( p k) would then be represented as GF(p)[X]/(f(X)), with x the image of X, and g would be a ((pk _ 1)/k)-th root of ct generating GF(pk). We now give an example to illustrate the construction procedure. Let p = 11 and k = 5. Note 5 I(11 - 1). The prime factorization of m = 11 s _ 1 = 161050 is 2-52"3221. We select 0t = 9 since 95 = 1 mod 11.
A.M. Odlyzko, W.D. Smith / Discrete Mathematics 146 (1995) 169-177
175
The factorization of x 11 - 9x - 1 over G F ( l l ) is (7 + x)(2 + 4x + 9x 2 + 6x 3 + 2x 4 + x5)(7 + 4x + 9x 2 + 6x 3 + 2x 4 + xS). (2.12) We will therefore usef(x) = 2 + 4x + 9X 2 + 6X 3 + 2X 4 + X5. A suitable g, which is a 32210th root of 9 (modulo F and modulo 11), is g = 2 + x 2. The fact that this g is a generator (as opposed to just being any old 32210th root of 9) may be verified by observing that none of gS.5.2= 2x + 6x 2 + 4 x 3 + 10x 4, g3221.5.2 9 and g3221.5,5 ~---4 are 1. =
We find from Eq. (2.11) that b = 12884. Then Iogg(x + 7 ) = 3221, Iogg(x + 0) -- 30542, logg(x + 6) -- 70549, and so on, as are easily verified, so that, upon adding b to these values, we arrive finally at the sought-after Ss-set modulo 161050: {16105} u {43426,83433} x {1, 11, 112, 113, 11'}.
(2.13)
Note that the complicated steps here were the selection of g and the discrete logarithm calculations. (Both of these computations are of course easy to verify by binary powering, but it is not immediately clear how to do them.) Selecting g is actually quite efficiently accomplished by random trial. The probability that a random nonzero element of G F ( p k) is a generator is ck(m)/m, where th is Euler's totient function and m = pk _ 1, and the probability that a random generator g will obey gm/k = Ct is 1/k. The combined probability ck(m)/(mk) (which in the present case is 1288/16105 ~ 0.08) is of order at least 1/(k21ogp). The discrete logarithms are certainly the computational bottleneck. In small cases such as this one, exhaustive search suffices. For larger values of m = pk _ 1, one can use the polynomial factorization algorithms in [6] and discrete logarithm algorithms in [13, 14].
3. Large nonabelian Sk-sets In this section we prove Theorem 2. The group is the following group of permutations of m = pk _ 1 letters: x--*x+amodm,
a=0..m-l,
x ~ xp + a mod m,
scramblings
rotations (3.1)
and the permutations they generate, namely
x-~ xpe + a m o d m
(e=O..k-
l,a=O..m-1).
We observe that • The group has order kin. • The kth power of a scrambling is a rotation (since pk = 1 mod m).
(3.2)
176
A.M. Odlyzko, W.D. Smith / Discrete Mathematics 146 (1995) 169-177
Note that the composition of k scramblings with a-values a l , a 2 , a 3 . . . . ak is the following permutation: x ~ x p k + ( a l p k - I + a2p k - 2 + ... + ak)
(3.3)
which is actually a rotation since pk = 1 mod m. (It is not the identity, however, unless al = a2 . . . . . ak e{0,p-- 1}.) Let T be an ordinary abelian Sk-Set of cardinality p, inside Zm constructed in Theorem 1, and having the multiplicative symmetry T p = T. Then divide T into (1TI - 1)/k equivalence classes of size k (also called orbits) under this symmetry plus a singleton. Then let S be the scramblings with a's consisting of one representative from each cardinality-k equivalence class. The reason this set S works is that alp k - i is also an element of T due to the multiplicative symmetry, so that the rotation length in (3.3) is a sum ofk elements of T, so these are distinct - except for the possibility of two such sums being the same sum in a different order, which cannot happen since we have picked one representative from each equivalence class. []
4. Open problems 1. Understand the multiplicative symmetries of Sk-Sets in Zm. 2. Here are two alternative ways to define nonabelian Sk-sets S inside a nonabelian group G. • Consider the 2k-letter words whose letters are alternately in S and in S-1, and where we only allow words such that no letter is adjacent to its inverse. We require that none of these words is the identity. • Consider the/-letter words w whose letters lie in S or S- 1 Again, no letter of w is allowed to be adjacent to its inverse. We require that none of these words is the identity. Can large nonabelian Sk-Sets of these two types be constructed? If these problems are solved, then one will have also made progress on an open problem in graph theory, the problem of finding the graphs of fixed girth g > 2k and having the most edges. Specifically, Cayley graphs and bipartite doubles of Cayley graphs constructed using generators from S will have large girths.
References [11 J.A. Bondy and U.S.R. Murty, Graph Theory with Applications (North-Holland, Amsterdam, 1976). [2] R.C. Bose and S. Chowla, Theorems in the additive theory of numbers, Math. Helvet. 37 (1962-3) 141-147. 1-3] A.E. Brouwer, J.B. Shearer, N.J.A. Sloane and W.D. Smith, A new table of constant weight codes, IEEE Trans. Inform. Theory 36(6) (1990) 1334-1380. [4] R.H. Bruck, Difference sets in a finite group, Trans. Amer. Math. Soc. 78 (1955) 464-481.
A.M. Odlyzko, W.D. Smith/Discrete Mathematics 146 (1995) 169-177
177
[5] F.R.K. Chung, Diameters and eigenvalues, J. Amer. Math. Soc. 2(2) (1989) 187-196. [6] K.O. Geddes, S.R. Czapor and G. Labahn, Algorithms for Computer Algebra (Kluwer, Dordrecht, 1992). [7] R.L. Graham and N.J.A. Sloane, Lower bounds for constant weight codes, IEEE Trans. inform. Theory 26 (1980) 37 43. [8] R.L. Graham and N.J.A. Sloane, On additive bases and harmonious graphs, SIAM J. Algebraic Discrete Methods 1 {1980) 382-404. [9] H. Halberstam and K.F. Roth, Sequences (Oxford University Press, Oxford, 1966). [10] M. Hall, Jr, Combinatorial Theory (Wiley, New York, 1986). [l 1] T. Kl~ve, A lower bound for A(n,4, w), IEEE Trans. Inform. Theory 27(2) 0981) 257-258. [12] R. Lidl and H. Niederreiter, Finite Fields (Addison-Wesley, New York, 1983). [13] K.S. McCurley, The discrete logarithm problem, in: C. Pomerance, ed., Cryptology and Computational Number Theory, AMS Proc. Symp. Pure Math. 42, (1990) 49-74. [14] A.M. Odlyzko, Discrete logarithms in finite fields and their cryptographic significance, in: T. Beth, N. Cot and I. lngemarsson, eds., Advances in Cryptology, Proc. of EUROCRYPT 84, Lecture Notes in Computer Science Vol. 209 (Springer, Berlin, 1985). [15] J. Singer, A theorem in finite projective geometry and some applications to number theory, Trans. Amer. Math. Soc. 43 (1938) 377 385. [16] J. Singer, Perfect difference sets, Trans. New York Acad. Sci. (2) 28 (1965/6) 883-888.
Discrete Mathematics 146 (1995) 169-177
Nonabelian sets with distinct k-sums A . M . O d l y z k o a'*, W . D . S m i t h b a A T&T Bell Laboratories, Murray Hill, NJ 07974, USA b NEC. 4 Independence Way, Princeton, NJ 08540. USA
Received 15 February 1993; revised 1! March 1994
Abstract A modified Bose-Chowla construction of sets with distinct sums of k-element subsets is presented. In infinitely many cases it yields sets with a certain multiplicative symmetry. These sets are then used to construct large sets S in certain nonabelian groups with the property that all k-letter words with letters from S are distinct.
1. Introduction Sets with distinct k-sums are (hopefully large) sets S such that all sums of k elements selected from S are distinct. (For short, we will call such sets Sk-Sets.) In the past, interest has generally been focused on such sets inside of Zm (that is, the sum is evaluated m o d u l o m). M o s t of the applications still work if S and the + operation live inside any abelian group. In some cases, larger sets S m a y be found inside such groups than exist in the cyclic g r o u p of the same order. Sk-sets have m a n y uses in combinatorics [3, 5, 7, 11]. We first show that for each k >/2, an infinite n u m b e r of values m exist so that a set S with distinct k-sums exists inside Zm, where [SI k > m, and such that these sets S enjoy a multiplicative s y m m e t r y m o d u l o m. (These sets are a slight variant of a well-known construction. W h a t is new is that our modification gives sets with multiplicative symmetries.) Second, we extend the Sk-Set notion to nonabelian groups G. We prove that for each value of k = 2, 3 ..... an infinite n u m b e r of groups G exist, such that there is a set S inside G with IGI x/k = O(ISIk) and such that all k-letter words whose letters are in S are distinct in G. These sets arose in connection with the second author's o n g o i n g work on maximal n u m b e r of edges in graphs of small girth.
* Corresponding author. E.mail: [email protected]. Elsevier Science B.V. SSDI 0 0 1 2 - 3 6 5 X ( 9 4 ) 0 0 1 6 2 - 6
170
A.M. Odlyzko, W.D. Smith~Discrete Mathematics 146 (1995) 169-177
Definition 1. Perfect difference sets are sets S, S c Zm, where Z,. is the additive abelian group of integers modulo m, such that every nonzero integer modulo m has a unique representation as a difference a - b mod m, a ~ S, b e S. In 1938, James Singer [10, 15, 16] constructed perfect difference sets for ISI = q, q any prime power. So far, Singer's construction is the only construction (up to obvious isomorphisms) that has ever been found for perfect difference sets. It is not known whether perfect difference sets exist that are not of Singer's type. Marshall Hall found that Singer's sets, as well as all known generalized difference sets (that is, in which each nonzero element of Zm is represented in 2 [a constant] number of ways as a difference of two elements in S) always possess isomorphs exhibiting multiplieative symmetries. That is, multiplying S by some integer t (modulo m) leaves it invariant. Indeed, Hall observes [10] that for every known generalized difference set, any prime t such that gcd(m, t) = 1 and tl(ISI - 2) gives rise to a multiplicative symmetry. For example, with q = 2, m = 7, the set S = { 1, 2, 4} is a perfect difference set featuring the multiplicative symmetry S=2S. With q = 3, m = 13, the set S = {0, 1, 3, 9} is a perfect difference set featuring the multiplicative symmetry S = 3S. This phenomenon was partially explained by Hall and Ryser's multiplier theorem [10, Theorem 11.4.1, p. 160 and Theorem 11.15.2, p. 166]. Perfect difference sets may be generalized in the following two ways. First, we may consider replacing Zm by an arbitrary abelian group. (As motivation, we mention that, as was observed in [3], there is an S2-set of size 7 inside G = Z 3 x Zs, IGI = 24. The least m so that an S2-set of size 7 exists inside Z,. is 48 I-8].) Secondly, we note that the sums of two elements in S are distinct if and only if the differences of elements in S are distinct, since a + b = c + d if and only ifa - d = c - b, which suggests the generalization (the following definition) of letting there be more than two elements in the sum.
Sk-sets are sets S c G, where G is any abelian finite group, such that the sum of any k elements selected (with replacement) from S is not equal to the sum of any other k elements of S, Definition 2.
Thus S2-sets in G = Zm, if m = ISI 2 - ISI + 1, are precisely the perfect difference sets. Applications of Sk-sets may be found in [3, 5, 7, 11]. How large can an Sk-Set be, compared to the size of the containing group G? Obviously
IGI/>
ISI(ISI + 1).--(ISi + k k~
1)
,
(1.1)
since the right-hand side is the number of ways to choose (a multiset of) k elements from S, with replacement. Thus when i GI is large and k is fixed, we have
ISI~<(k!IGI) '/k.
(1.2)
A.M. Odlyzko, W.D. Smith/Discrete Mathematics 146 (1995) 169-177
171
An upper bound with better asymptotic behavior is i
Lk/2J
[ k/2 ]
IG[ >t 1-I,=o (ISI-['k2-] + )'l-Ij=o (ISI + j )
Lk/2J .rk/2q!
(1.3)
This arises as follows. Choose Lk/2J elements with replacement from S, and let their sum be A. From the remaining ~ ISJ - Lk/2J elements, choose [k/2-] elements, and let their sum be B. Then the differences , 4 - B are distinct, and their number is bounded below by the quantity on the right-hand side of (1.3). When [GI is large and k is fixed, this leads to
ISl~(Lk/2J !'Vk/2-]!'l GI) Ilk.
(1.4)
When k = 2, Singer's construction, known results on prime gaps, and this upper bound are sufficient to determine the asymptotics of the minimal order v (n) of an abelian group G containing an S2-set of cardinality n: v(n) ~ n 2.
(1.5)
This observation settles an open problem mentioned in [3, p. 1343]. Bose and Chowla [2] constructed Sk-Sets of cardinality q + 1, where k = 2, 3, 4 .... and q is any prime power, inside Z,,, where m = ( q k + l - 1 ) / ( q - - l ) . These specialize to Singer's sets when k = 2. They also constructed Sk-Sets of cardinality q, where k = 2, 3, 4 .... and q is any prime power, inside Zm, where m = qk _ 1. Observe that in the limit when k ~> 3 is fixed and IGI is large, Bose and Chowla's SR-sets are only a constant factor ( ~ k/2e, if k is large, where e ,~ 2.71828 is the ban of the natural logarithm) smaller than the asymptotic upper bound (1.4). When k ~> 3, however, Bose and Chowla's sets are not necessarily exactly optimal. • Example: Bose and Chowla supply a 6-element Sa-set inside Z156, but there is a 8-element S3-set in Z156: S -~- {1,5,25, 125} w {2, 10,50,94}. • Example: Bose and Chowla supply a 5-element S3-set inside Z~24, but there is a 6-element S3-set in Z~24: S = {1,5,25} ~ {2, 10,50}. Also note that both these examples have a multiplicative symmetry S = 5S. In the present paper, we will observe that in an infinite number of cases some isomorph of Bose and Chowla's second type of set possesses a multiplicative symmetry.
Theorem 1. For every integer k >t 2 and every prime p so that kl(p - 1), there exists an Sk-Set S of cardinality p inside Zm, where m = pk _ 1, such that S = pS. Next, we will extend the Sk-Set notion to nonabelian groups G.
Definition 3. A nonabelian Sk-set is a set S c G, where G is a (nonabelian) finite group, such that all k-letter words, whose letters are selected (with replacement) from S, are distinct in G.
172
A.M. Odlyzko, W.D. Smith~Discrete Mathematics 146 (1995) 169-177
Notice that any Sk-set, including a nonabelian one, is also an Sj-set for every j = 1, 2 ..... k. (Proof: Consider appending a (k - j)-letter constant suffix to the end of the j-letter words). We prove the following result.
Theorem 2. For each value of k = 2, 3 ..... and any prime p with kl(p - 1), a nonabelian group G of order IGI = ( p k _ 1)k exists which contains a nonabelian Sk-set S of cardinality (p - 1)/k. Analogous to (1.1), one easily sees that any nonabelian Sk-set S inside a group G must obey
ISI ~< IGI '/k,
(1.6)
so the construction of Theorem 2 comes within a constant factor (in the asymptotic regime where k is fixed and [GI is large) of this upper bound. When k is large, this constant factor is approximately k. We can do better (see Theorem 3) if k = 2 and if we do not require that words a 2 be distinct (or equivalently, if we remove the words with replacement from Definition 3).
Theorem 3. Let q be a prime power. Then there exists a set S of cardinality q + 2 inside the dihedral group D2m of order 2m, where m = (q3 _ l)/(q - 1), such that the products xy with x, y ~ S, x ~ y, are distinct. (In particular, xy ~ yx for x ~ y.) Proof. Let D2,, be generated by r and f where r m =f2 = ( r f ) 2 = 1. Let S consist of the q + 1 elements of D2m of form rzf where z is in Singer's perfect difference set inside Zm and 1. [] Remark. One may also construct a set S of cardinality 1 + Flffqi + 1) inside a group of order 2l-I~(q 3 - 1)/(q~ - 1) where the q~ are prime powers, such that all the words xy, x ~ y, are distinct.
2. Sk-sets with multiplicative symmetries In this section we prove Theorem 1. We modify the B o s e - C h o w l a construction [2, 9-1. Let g be a primitive element of G F ( p k) (i.e. an element of multiplicative order pk _ 1). The discrete logarithm o f y ~ GF(pk), y ~: 0, is an integer l, taken as an element ofZm, m = pk _ 1, such that y = g~. We write I = loggy. We will often use the bijection between Zm and G F ( p k ) \ {0} given by the discrete logarithm. As in the B o s e - C h o w l a construction, choose x e G F (pk) SO that x is of degree k over GF(p), and is thus not in any proper subfield of GF(pk). F o r a fixed b EZra, we let S={logg(x+j)+b:
O~
(2.1)
A.M. Odlyzko, W.D. Smith / Discrete Mathematics 146 (1995) 169-177
173
The standard Bose-Chowla construction has b = 0. The present sets remain Sk-Sets since the addition of a constant to all elements does not affect the Sk-Set property. We now show that if we choose x and b properly, then S will have the multiplicative symmetry p S = S. This symmetry property will hold if for everyj e GF(p), there is an h e GF(p) such that p(logg(x + j) + b) = logg(x + h) + b
(2.2)
holds in Z,,. Exponentiating, we find this is equivalent to the equation 9bP(x + j)P = 9b(x + h)
(2.3)
in GF(pk), which (by the 'freshman's dream' identity (A + B)p = A p + BPmod p) in turn is equivalent to x p = 9 - b ( p - l~x + g - b ~ p - l) h _ j .
(2.4)
If there are fixed O, x and b such that a s j varies over GF(p), the h defined by Eq. (2.4) remains in GF(p), then we must have = g - h t p - 11 ~GF(p).
(2.5)
Moreover, we then must have x p = ~ x + oth - j .
(2.6)
If Eq. (2.6) holds for even a single pair (h,j) with ~ e G F ( p ) , then for every j 6GF(p), there will be an h EGF(p) such that Eq. (2.6) holds, and the set S will satisfy p S = S. Suppose that k l ( p - 1). We will show that a suitable choice o f x and • exists so that Eq. (2.6) holds with h = (j + 1)/~ for all j. We choose = g ~ - l~/k
(2.7)
We first show that ~ satisfies Eq. (2.5). To prove this, it suffices to show that p - 1 divides (pk _ 1)/k. This is equivalent to showing that k divides pk
1
p-1
= p k - 1 + p k - 2 + ... + 1"
However, modulo p - 1 the sum on the right-hand side above is k, and since k divides p - 1, we are done. We now come to the heart of the proof. Consider the equation zp - a z -
1 =0.
(2.8)
When we factor this over GF(p), we claim that it has one linear factor and (p - l ) / k irreducible factors, each of which is of degree k. If z is in GF(p), then z p = z by Fermat's little theorem, so (2.8) shows that z = - 1 / ( ~ - 1). Further, (2.8) has no multiple roots by the derivative test, so we have established the claimed result about linear factors. Suppose now that z is a root of (2.8) but z is not in GF(p). The
A.M. Odlyzko, W.D. Smith / Discrete Mathematics 146 (1995) 169-177
174
conjugates of z are z p, z p2, zP3,.... We find that z p2=(o~z+l)
p=az p+l=a2z+a+l.
(2.9)
An easy induction establishes the more general relation z pr = a'z + - - .
(2.10)
Since ~ is a primitive kth root of unity, we find that z p" = z for/a = k, but for no smaller positive #. Hence z is of degree k over GF(p), and our c l a i m is now proved. We have shown that for k l ( p - 1), if we select a according to (2.7), then there will be an x satisfying (2.8) such that the set S will have the multiplicative symmetry p S = S. This completes the proof of Theorem 1. [] We now mention some further consequences of the above proof. (1) The mapping x ~ p x of our set S to itself consists of one fixed point and ( p - 1 ) / k orbits of length k. To see this, note that for x and ~t, ~t # 0, fixed, cth - j = x p - ~ x = 1
has exactly one solution (h,j) with h = j , namely h = j = 1/(~ - 1), corresponding to the fixed point. There cannot be orbits of length r, 2 ~< r < k, since that would imply h --- ~'h so that (we are allowed to divide out the factor of ~r _ 1, since it is nonzero, since ~ is a primitive kth root of unity) h = 1/(~ - 1), but that was the fixed point. (2) Our construction requires that k l ( p - 1). Conversely, one can show that if Eq. (2.6) is satisfied for any h and j, and some • e GF(p), with x of degree k over GF(p), then k l ( p - 1). (3) The value of the o f f s e t b may be deduced, from Eqs. (2.5) and (2.7), and the fact that c~ is a primitive kth root of unity, to be given by b = (pk _ 1)(k -- 1)
(2.11)
(p- 1)k (4) The symmetric Sk-SetS in Zm which arise in this construction will remain symmetric S,-sets if any multiple o f t a l k is added to each element, or equivalently to b. In practice, to construct the set S, we would select ct to b e a n y element of G F ( p ) \ {0} of multiplicative order k, and let f(X) be one of the irreducible factors of degree k of XV-otX - 1 over GF(p). The field G F ( p k) would then be represented as GF(p)[X]/(f(X)), with x the image of X, and g would be a ((pk _ 1)/k)-th root of ct generating GF(pk). We now give an example to illustrate the construction procedure. Let p = 11 and k = 5. Note 5 I(11 - 1). The prime factorization of m = 11 s _ 1 = 161050 is 2-52"3221. We select 0t = 9 since 95 = 1 mod 11.
A.M. Odlyzko, W.D. Smith / Discrete Mathematics 146 (1995) 169-177
175
The factorization of x 11 - 9x - 1 over G F ( l l ) is (7 + x)(2 + 4x + 9x 2 + 6x 3 + 2x 4 + x5)(7 + 4x + 9x 2 + 6x 3 + 2x 4 + xS). (2.12) We will therefore usef(x) = 2 + 4x + 9X 2 + 6X 3 + 2X 4 + X5. A suitable g, which is a 32210th root of 9 (modulo F and modulo 11), is g = 2 + x 2. The fact that this g is a generator (as opposed to just being any old 32210th root of 9) may be verified by observing that none of gS.5.2= 2x + 6x 2 + 4 x 3 + 10x 4, g3221.5.2 9 and g3221.5,5 ~---4 are 1. =
We find from Eq. (2.11) that b = 12884. Then Iogg(x + 7 ) = 3221, Iogg(x + 0) -- 30542, logg(x + 6) -- 70549, and so on, as are easily verified, so that, upon adding b to these values, we arrive finally at the sought-after Ss-set modulo 161050: {16105} u {43426,83433} x {1, 11, 112, 113, 11'}.
(2.13)
Note that the complicated steps here were the selection of g and the discrete logarithm calculations. (Both of these computations are of course easy to verify by binary powering, but it is not immediately clear how to do them.) Selecting g is actually quite efficiently accomplished by random trial. The probability that a random nonzero element of G F ( p k) is a generator is ck(m)/m, where th is Euler's totient function and m = pk _ 1, and the probability that a random generator g will obey gm/k = Ct is 1/k. The combined probability ck(m)/(mk) (which in the present case is 1288/16105 ~ 0.08) is of order at least 1/(k21ogp). The discrete logarithms are certainly the computational bottleneck. In small cases such as this one, exhaustive search suffices. For larger values of m = pk _ 1, one can use the polynomial factorization algorithms in [6] and discrete logarithm algorithms in [13, 14].
3. Large nonabelian Sk-sets In this section we prove Theorem 2. The group is the following group of permutations of m = pk _ 1 letters: x--*x+amodm,
a=0..m-l,
x ~ xp + a mod m,
scramblings
rotations (3.1)
and the permutations they generate, namely
x-~ xpe + a m o d m
(e=O..k-
l,a=O..m-1).
We observe that • The group has order kin. • The kth power of a scrambling is a rotation (since pk = 1 mod m).
(3.2)
176
A.M. Odlyzko, W.D. Smith / Discrete Mathematics 146 (1995) 169-177
Note that the composition of k scramblings with a-values a l , a 2 , a 3 . . . . ak is the following permutation: x ~ x p k + ( a l p k - I + a2p k - 2 + ... + ak)
(3.3)
which is actually a rotation since pk = 1 mod m. (It is not the identity, however, unless al = a2 . . . . . ak e{0,p-- 1}.) Let T be an ordinary abelian Sk-Set of cardinality p, inside Zm constructed in Theorem 1, and having the multiplicative symmetry T p = T. Then divide T into (1TI - 1)/k equivalence classes of size k (also called orbits) under this symmetry plus a singleton. Then let S be the scramblings with a's consisting of one representative from each cardinality-k equivalence class. The reason this set S works is that alp k - i is also an element of T due to the multiplicative symmetry, so that the rotation length in (3.3) is a sum ofk elements of T, so these are distinct - except for the possibility of two such sums being the same sum in a different order, which cannot happen since we have picked one representative from each equivalence class. []
4. Open problems 1. Understand the multiplicative symmetries of Sk-Sets in Zm. 2. Here are two alternative ways to define nonabelian Sk-sets S inside a nonabelian group G. • Consider the 2k-letter words whose letters are alternately in S and in S-1, and where we only allow words such that no letter is adjacent to its inverse. We require that none of these words is the identity. • Consider the/-letter words w whose letters lie in S or S- 1 Again, no letter of w is allowed to be adjacent to its inverse. We require that none of these words is the identity. Can large nonabelian Sk-Sets of these two types be constructed? If these problems are solved, then one will have also made progress on an open problem in graph theory, the problem of finding the graphs of fixed girth g > 2k and having the most edges. Specifically, Cayley graphs and bipartite doubles of Cayley graphs constructed using generators from S will have large girths.
References [11 J.A. Bondy and U.S.R. Murty, Graph Theory with Applications (North-Holland, Amsterdam, 1976). [2] R.C. Bose and S. Chowla, Theorems in the additive theory of numbers, Math. Helvet. 37 (1962-3) 141-147. 1-3] A.E. Brouwer, J.B. Shearer, N.J.A. Sloane and W.D. Smith, A new table of constant weight codes, IEEE Trans. Inform. Theory 36(6) (1990) 1334-1380. [4] R.H. Bruck, Difference sets in a finite group, Trans. Amer. Math. Soc. 78 (1955) 464-481.
A.M. Odlyzko, W.D. Smith/Discrete Mathematics 146 (1995) 169-177
177
[5] F.R.K. Chung, Diameters and eigenvalues, J. Amer. Math. Soc. 2(2) (1989) 187-196. [6] K.O. Geddes, S.R. Czapor and G. Labahn, Algorithms for Computer Algebra (Kluwer, Dordrecht, 1992). [7] R.L. Graham and N.J.A. Sloane, Lower bounds for constant weight codes, IEEE Trans. inform. Theory 26 (1980) 37 43. [8] R.L. Graham and N.J.A. Sloane, On additive bases and harmonious graphs, SIAM J. Algebraic Discrete Methods 1 {1980) 382-404. [9] H. Halberstam and K.F. Roth, Sequences (Oxford University Press, Oxford, 1966). [10] M. Hall, Jr, Combinatorial Theory (Wiley, New York, 1986). [l 1] T. Kl~ve, A lower bound for A(n,4, w), IEEE Trans. Inform. Theory 27(2) 0981) 257-258. [12] R. Lidl and H. Niederreiter, Finite Fields (Addison-Wesley, New York, 1983). [13] K.S. McCurley, The discrete logarithm problem, in: C. Pomerance, ed., Cryptology and Computational Number Theory, AMS Proc. Symp. Pure Math. 42, (1990) 49-74. [14] A.M. Odlyzko, Discrete logarithms in finite fields and their cryptographic significance, in: T. Beth, N. Cot and I. lngemarsson, eds., Advances in Cryptology, Proc. of EUROCRYPT 84, Lecture Notes in Computer Science Vol. 209 (Springer, Berlin, 1985). [15] J. Singer, A theorem in finite projective geometry and some applications to number theory, Trans. Amer. Math. Soc. 43 (1938) 377 385. [16] J. Singer, Perfect difference sets, Trans. New York Acad. Sci. (2) 28 (1965/6) 883-888.